IDS and your network

50 %
50 %
Information about IDS and your network

Published on June 16, 2007

Author: Sharck


“IDS and your network”:  'IDS and your network' Dale Tongue 10 September 2005 Intro:  Intro What is a router? What is a syslog server? What is a Firewall? What is an IDS? How does a network get blocked? What is a router?:  What is a router? Router A router is a hardware device designed to take incoming packets, analyzing the packet and then directing it to the appropriate location, moving the packet to another network, converting the packet to be moved across a different type of network interface,  dropping the packet, or performing any other number of other types of actions.  Brouter Short for Bridge Router a 'brouter' is a networking device that serves as both a bridge and a router. Core router A core router is a router in a computer network that routes data within a network but not between networks. Edge router A edge Router is a router in a computer network that routes data between one or more networks. Virtual router A Virtual Router is a backup router used in a VRRP setup. Router examples:  Router examples What is a Syslog Server?:  What is a Syslog Server? Syslog Short for SYStems LOG, syslog is a logging system originally developed for UNIX systems. The syslog is a collection of error messages, warning messages, and/or other system messages that are sent to the central location through UDP port 514. Today syslog is available and/or capable of being run by the majority of all operating systems as well as hardware devices such as network switches and routers. Syslog Server example:  Syslog Server example ID/Pwrd ID/Pwrd What is a Firewall?:  What is a Firewall? Firewall - The primary method for keeping a computer secure from intruders. A firewall allows or blocks traffic into and out of a private network or the user's computer. Firewalls are widely used to give users secure access to the Internet as well as to separate a company's public Web server from its internal network. Firewalls are also used to keep internal network segments secure; for example, the accounting network might be vulnerable to snooping from within the enterprise. It can be as simple as a single router that filters out unwanted packets, or it may comprise a combination of routers and servers each performing some type of firewall processing. Firewalls are good DETECTION devices they can detect legal/illegal access by logging it Firewalls are weaker PROTECTION devices attack code could be in the application layer not the network layer application firewalls address this What is a Firewall? (Cont)Firewall Techniques:  What is a Firewall? (Cont) Firewall Techniques Following are the different methods used to provide firewall protection, and several of them are often used in combination. Packet Filter - Blocks traffic based on a specific Web address (IP address) or type of application (e-mail, ftp, Web, etc.), which is specified by port number. Packet filtering is typically done in a router, which is known as a 'screening router.' See bastion host. Proxy Server - Serves as a relay between two networks, breaking the connection between the two. Also typically caches Web pages (see proxy server). Network Address Translation (NAT) - Allows one IP address, which is shown to the outside world, to refer to many IP addresses internally; one on each client station. Performs the translation back and forth. NAT is found in routers and is built into Windows Internet Connection Sharing (ICS). See NAT and ICS. Stateful Inspection - Tracks the transaction to ensure that inbound packets were requested by the user. Generally can examine multiple layers of the protocol stack, including the data, if required, so blocking can be made at any layer or depth. See stateful inspection. Most are 'Deny All – Allow By Exception' Firewall Example:  Firewall Example The use of two screening routers in the firewall configuration offers two points of protection from the outside world to the internal LAN. Denying all, Allow by exception What is an IDS?:  What is an IDS? IDS (Intrusion Detection System) Software that detects an attack on a network or computer system. A Network IDS (NIDS) is designed to support multiple hosts, whereas a Host IDS (HIDS) is set up to detect illegal actions within the host. Most IDS programs typically use signatures of known cracker attempts to signal an alert. Others look for deviations of the normal routine as indications of an attack. Intrusion detection is very tricky. Too much analysis can add excessive overhead and also trigger false alarms. Insufficient analysis can overlook a valid attack. See protocol anomaly, traffic anomaly, IPS and attack. NIDS example:  NIDS example Syslog Server Sequence of events:  Sequence of events Network looks for signatures and is checked for someone 'knocking' on the door (such as) (1) Scan the network to: - Locate which IP addresses are in use, - Identify what operating system is in use, - Identify what TCP or UDP ports are 'open' (being listened to by Servers). (2) Run 'Exploit' scripts against open ports (3) Get access to Shell program which is 'suid' (has 'root' privileges). (4) Download special versions of systems files that will let Hackers have free access without his /her CPU time or disk storage space being noticed by auditing programs. (5) Use IRC (Internet Relay Chat) to invite fellow hackers. Sequence of events (Cont):  Sequence of events (Cont) As IDS boxes spit out data, syslog server is checked against the 'knocking' IP/network Searches for anything from that IP or subnet Use ARIN ( or APNIC ( or RIPE ( or Sam Spade, etc Dial up will give a new IP, but probably same subnet If it’s not a coincidence, block the IP or the subnet Blocking the network:  Blocking the network Using CISCO Works, edit the template and FTP it to all sites Offending network would/could be trying all networks, cuts down on labor and assures a block everywhere If the offending network is, will you get your mail to an domain? Discuss the bh.korea list that commercial vendors use Domains?:  Domains? The internet is big. Two entry points into the NIPRNet From the 'fixed east' and fixed west: Access the networks Each post has its own gateway Each gateway has its Access Control List As Huachuca edits the list, subnets can be denied Can also have 'allow' list Sequence of events?:  Sequence of events? Slide17:  Intrusion Steps from the bad guys perspective:  Intrusion Steps from the bad guys perspective Outside Reconnaissance – whois, DNS, WWW, FTP Inside Reconnaissance – ping sweep, inverse mapping, port scanning, rpcinfo, showmount, snmpwalk. Exploit – exploiting vulnerabilities discovered earlier. Foothold – gained entrance into the machine and now starts to hide the evidence. Install rootkits, trojans. Profit – taking advantage of the entry, the hacker now goes after the real target – information, $$, credit card info, etc. Joyride – systems used in a relay attack. Randy Marchany, VA Tech IT Security Lab, VA Tech Blacksburg, VA 24060, email: Common WWW Exploits:  Common WWW Exploits CGI – passing data to the command shell via shell metacharacters, using hidden variables, phf. WWW server IIS/RDP - ../../../../ attack to get files from the server. Alternate data streams ( Win95 names). URL – fields can cause buffer overflows as it’s parsed in the HTTP header, displayed on the screen or saved in the cache history. Old IE bug would execute .LNK or .URL commands. HTTP headers can be used to exploit bugs because some fields are passed to functions that expect only certain information. HTML – MIME-type overflow in Netscape Communicator’s andlt;EMBEDandgt; command. Javascript – usually tries to exploit the 'file upload' function by generating a filename and automatically hidden the SUBMIT button. Many fixes for this but equal # of circumventions. Frames – part of JavaScript or Java hack (hiding web bugs). Hackers include link to valid site that uses frames then replace some of those frames with bad www pages. Java – normal Java applets have no access to the local system but sometimes they’d be more useful if they did have local access. Active X – works purely on trust model and runs in native mode. Randy Marchany, VA Tech IT Security Lab, VA Tech Blacksburg, VA 24060, email: Common Reconnaissance Scans and DOS Attacks:  Common Reconnaissance Scans and DOS Attacks Ping Sweeps TCP/UDP Scans OS identification Account Scans Ping of Death SYN Flood Land DDoS See PDF File that I brought for RealSecure signatures file Randy Marchany, VA Tech IT Security Lab, VA Tech Blacksburg, VA 24060, email: How Do NIDS Detect Intrusions?:  How Do NIDS Detect Intrusions? Anomaly detection – measures a baseline of stats like CPU utilization, disk activity, user logins, file activity. NIDS triggers when a deviation from this baseline occurs. Signature recognition – pattern matching attack probes. Uses large databases to detect the attack. Antiviral software uses this. Works only for known attacks. Randy Marchany, VA Tech IT Security Lab, VA Tech Blacksburg, VA 24060, email: Matching Signatures with Incoming Traffic:  Matching Signatures with Incoming Traffic NIDS consists of special TCP/IP stack that reassembles datagrams and TCP streams. It uses: Protocol Stack Verification – search for protocol violations (SYN/FIN, etc.) Application Protocol Verification New Event Creation – log all application layer protocols for later correlation. Randy Marchany, VA Tech IT Security Lab, VA Tech Blacksburg, VA 24060, email: NIDS Detect the Attack:  NIDS Detect the Attack Firewall reconfiguration to block IP address. Chime – 'Danger, Will Robinson!' alarm. Email or page admins. SNMP trap – send trap datagram to console. Syslog – record it in NT Event log or Unix syslog Save Evidence. Launch Program to handle the event. Terminate the TCP connection by sending a FIN. Randy Marchany, VA Tech IT Security Lab, VA Tech Blacksburg, VA 24060, email: Some NIDS Products:  Some NIDS Products BlackIce Defender (Network Ice) CyberCop Monitor (Network Associates) RealSecure (ISS) NetRanger (WheelGroup/Cisco) eTrust Intrusion Detection (CA) NetProwler (Axent) Centrax (CyberSafe) NFR (Network Flight Recorder) Dragon (Security Wizards) Randy Marchany, VA Tech IT Security Lab, VA Tech Blacksburg, VA 24060, email:

Add a comment

Related presentations

Related pages

Intrusion Detection (IDS) and Prevention (IPS) Systems ...

Intrusion detection systems (IDS) are designed to monitor inbound and outbound network activity to identify suspicious patterns that indicate network attacks.
Read more

Do you need an IDS or IPS, or both? - Information Security ...

What is an IDS? What is an IPS? What do they do, and how can they help secure your organization? Learn what IDSes and IPSes are, how they differ from each ...
Read more

IDS and IPS: Information security technology working together

Share this item with your network: By submitting your email address, you agree to receive emails regarding relevant topic offers from TechTarget and its ...
Read more

Intrusion detection system - Wikipedia, the free encyclopedia

An intrusion detection system (IDS) is a device or software application that monitors network or system activities for malicious activities or policy ...
Read more

Host-Based IDS vs Network-Based IDS (Part 1)

Host based IDS can be active if you on or off a LAN or connected network as it is ... Noting that your network is so vast and consisting of many ...
Read more

Intrusion prevention system - Wikipedia, the free encyclopedia

Intrusion prevention systems (IPS), also known as intrusion detection and prevention systems (IDPS), are network security appliances that monitor network ...
Read more

Installing the IDS Appliance - Cisco

Table Of Contents. Installing the IDS Appliance. Introducing the IDS Appliance. How the IDS Appliance Functions. Your Network Topology. Placing an IDS ...
Read more

How To Configure A Snort IDS Intrusion Detection System On ...

Network perimeter security using an Intrusion Detection System Snort IDS and Oinkmaster on Debian Linux
Read more

Intrusion Detection System (IDS) Software | AlienVault

Intrusion Detection System (IDS) Accelerate Your Threat Detection and Response with a Complete Set of Security Technologies. See how easy it is to use ...
Read more